[nsp-sec] DoS Attack against Level3

Thu Jul 21 11:31:02 EDT 2011

Hi,

This is what I've got for the last 1/2 hour or so - nothing exciting

Thanks,
Joel

Calling flowdumper with the following filter:
filter-primitive general-ip
 type ip-address-prefix
 permit 192.221.69.45/32
 permit 192.221.72.51/32
 permit 205.128.90.51/32
 permit 4.23.54.51/32
 permit 205.128.70.51/32
 permit 206.33.57.51/32
 permit 199.93.56.51/32

filter-definition snoopy
 match ip-source-address general-ip
 or
 match ip-destination-address general-ipRunning the following files through the filter:
/hmt/sirius1/netflow/flows/saved//ft-v05.2011-07-21.110000-0400
/hmt/sirius1/netflow/flows/saved//ft-v05.2011-07-21.110500-0400
/hmt/sirius1/netflow/flows/saved//ft-v05.2011-07-21.111000-0400
/hmt/sirius1/netflow/flows/saved//ft-v05.2011-07-21.111500-0400
/hmt/sirius1/netflow/flows/saved//ft-v05.2011-07-21.112000-0400


--------------------------------------------------------------------------------

For all non-ICMP traffic, output is


date time srcip.srcport -> dstip.dstport protocol packets bytes

--------------------------------------------------------------------------------

2011/07/21 10:59:57 156.111.70.150.1037 -> 205.128.70.51.53 17 1 74
2011/07/21 10:59:57 205.128.70.51.53 -> 156.111.70.150.1037 17 1 336
2011/07/21 11:00:36 156.111.60.150.41869 -> 205.128.70.51.53 17 1 78
2011/07/21 11:00:36 205.128.70.51.53 -> 156.111.60.150.41869 17 1 346
2011/07/21 11:01:40 128.59.59.92.34390 -> 192.221.69.45.53 17 1 78
2011/07/21 11:01:40 192.221.69.45.53 -> 128.59.59.92.34390 17 1 346
2011/07/21 11:02:39 156.111.60.150.27443 -> 206.33.57.51.53 17 1 84
2011/07/21 11:02:39 206.33.57.51.53 -> 156.111.60.150.27443 17 1 356
2011/07/21 11:02:48 128.59.62.11.24782 -> 192.221.69.45.53 17 1 88
2011/07/21 11:02:48 192.221.69.45.53 -> 128.59.62.11.24782 17 1 369
2011/07/21 11:03:50 156.111.60.150.8361 -> 205.128.90.51.53 17 1 83
2011/07/21 11:03:50 205.128.90.51.53 -> 156.111.60.150.8361 17 1 354
2011/07/21 11:05:43 128.59.59.92.15406 -> 192.221.69.45.53 17 1 80
2011/07/21 11:05:51 205.128.90.51.53 -> 156.111.60.150.24036 17 1 336
2011/07/21 11:07:32 128.59.59.92.62889 -> 192.221.69.45.53 17 1 83
2011/07/21 11:07:32 192.221.69.45.53 -> 128.59.59.92.62889 17 1 354
2011/07/21 11:10:05 128.59.59.92.10347 -> 192.221.69.45.53 17 1 83
2011/07/21 11:10:05 192.221.69.45.53 -> 128.59.59.92.10347 17 1 354
2011/07/21 11:10:07 156.111.70.150.3263 -> 205.128.90.51.53 17 1 74
2011/07/21 11:10:07 205.128.90.51.53 -> 156.111.70.150.3263 17 1 336
2011/07/21 11:10:40 156.111.70.150.31763 -> 205.128.70.51.53 17 1 78
2011/07/21 11:10:40 205.128.70.51.53 -> 156.111.70.150.31763 17 1 346
2011/07/21 11:11:48 192.221.72.51.53 -> 156.111.60.150.50151 17 1 336
2011/07/21 11:13:59 156.111.60.150.38398 -> 206.33.57.51.53 17 1 84
2011/07/21 11:13:59 206.33.57.51.53 -> 156.111.60.150.38398 17 1 356
2011/07/21 11:14:28 128.59.176.100.12691 -> 192.221.69.45.53 17 1 96
2011/07/21 11:14:28 192.221.69.45.53 -> 128.59.176.100.12691 17 1 323
2011/07/21 11:14:32 156.111.60.150.58218 -> 206.33.57.51.53 17 1 83
2011/07/21 11:14:32 206.33.57.51.53 -> 156.111.60.150.58218 17 1 354
2011/07/21 11:15:38 192.221.69.45.53 -> 128.59.59.92.17416 17 1 336
2011/07/21 11:15:48 156.111.70.150.36954 -> 206.33.57.51.53 17 1 78
2011/07/21 11:15:48 156.111.70.150.47773 -> 206.33.57.51.53 17 1 78
2011/07/21 11:15:48 206.33.57.51.53 -> 156.111.70.150.36954 17 1 346
2011/07/21 11:15:48 206.33.57.51.53 -> 156.111.70.150.47773 17 1 346
2011/07/21 11:16:57 128.59.62.11.30415 -> 192.221.69.45.53 17 1 78
2011/07/21 11:16:57 128.59.62.11.63986 -> 192.221.69.45.53 17 1 78
2011/07/21 11:16:57 192.221.69.45.53 -> 128.59.62.11.30415 17 1 346
2011/07/21 11:16:57 192.221.69.45.53 -> 128.59.62.11.63986 17 1 346
2011/07/21 11:17:05 128.59.62.11.21137 -> 192.221.69.45.53 17 1 74
2011/07/21 11:17:05 192.221.69.45.53 -> 128.59.62.11.21137 17 1 336
2011/07/21 11:17:49 206.33.57.51.53 -> 156.111.60.150.22592 17 1 336
2011/07/21 11:18:18 156.145.75.99.57129 -> 205.128.90.51.53 17 1 71
2011/07/21 11:18:18 205.128.90.51.53 -> 156.145.75.99.57129 17 1 300
2011/07/21 11:18:28 128.59.176.100.13275 -> 205.128.70.51.53 17 1 89
2011/07/21 11:18:28 205.128.70.51.53 -> 128.59.176.100.13275 17 1 316
2011/07/21 11:18:43 128.59.176.100.18723 -> 205.128.70.51.53 17 1 96
2011/07/21 11:18:43 205.128.70.51.53 -> 128.59.176.100.18723 17 1 323
2011/07/21 11:19:01 128.59.176.100.15569 -> 205.128.70.51.53 17 1 83
2011/07/21 11:19:01 128.59.176.100.31738 -> 205.128.70.51.53 17 1 83
2011/07/21 11:19:01 128.59.176.100.44878 -> 205.128.70.51.53 17 1 83
2011/07/21 11:19:01 205.128.70.51.53 -> 128.59.176.100.15569 17 1 280
2011/07/21 11:19:01 205.128.70.51.53 -> 128.59.176.100.31738 17 1 310
2011/07/21 11:19:01 205.128.70.51.53 -> 128.59.176.100.44878 17 1 152
2011/07/21 11:19:10 206.33.57.51.53 -> 156.111.60.150.10021 17 1 356
2011/07/21 11:20:46 128.59.176.100.12176 -> 205.128.70.51.53 17 1 83
2011/07/21 11:20:46 128.59.176.100.48480 -> 205.128.70.51.53 17 1 83
2011/07/21 11:20:46 128.59.176.100.53015 -> 205.128.70.51.53 17 1 86
2011/07/21 11:20:46 128.59.176.100.61076 -> 205.128.70.51.53 17 1 83
2011/07/21 11:20:46 205.128.70.51.53 -> 128.59.176.100.12176 17 1 280
2011/07/21 11:20:46 205.128.70.51.53 -> 128.59.176.100.48480 17 1 280
2011/07/21 11:20:46 205.128.70.51.53 -> 128.59.176.100.53015 17 1 313
2011/07/21 11:20:46 205.128.70.51.53 -> 128.59.176.100.61076 17 1 152
2011/07/21 11:20:48 128.59.59.92.35781 -> 192.221.69.45.53 17 1 74
2011/07/21 11:20:48 192.221.69.45.53 -> 128.59.59.92.35781 17 1 336
2011/07/21 11:20:51 156.111.70.150.16793 -> 4.23.54.51.53 17 1 76
2011/07/21 11:20:51 4.23.54.51.53 -> 156.111.70.150.16793 17 1 367
2011/07/21 11:21:25 128.59.176.100.18138 -> 205.128.70.51.53 17 1 83
2011/07/21 11:21:25 205.128.70.51.53 -> 128.59.176.100.18138 17 1 299
2011/07/21 11:21:43 192.221.69.45.53 -> 156.111.70.150.25202 17 1 336
2011/07/21 11:22:28 205.128.90.51.53 -> 156.111.60.150.21529 17 1 354
2011/07/21 11:22:50 156.111.60.150.31265 -> 206.33.57.51.53 17 1 74
2011/07/21 11:22:50 206.33.57.51.53 -> 156.111.60.150.31265 17 1 336
2011/07/21 11:23:20 128.59.176.100.41309 -> 205.128.70.51.53 17 1 83
2011/07/21 11:23:20 128.59.176.100.47537 -> 205.128.70.51.53 17 1 84
2011/07/21 11:23:20 128.59.176.100.47635 -> 205.128.70.51.53 17 1 83
2011/07/21 11:23:20 128.59.176.100.9501 -> 205.128.70.51.53 17 1 83
2011/07/21 11:23:20 205.128.70.51.53 -> 128.59.176.100.41309 17 1 152
2011/07/21 11:23:20 205.128.70.51.53 -> 128.59.176.100.47537 17 1 311
2011/07/21 11:23:20 205.128.70.51.53 -> 128.59.176.100.47635 17 1 280
2011/07/21 11:23:20 205.128.70.51.53 -> 128.59.176.100.9501 17 1 280
2011/07/21 11:23:52 128.59.176.100.10849 -> 205.128.70.51.53 17 1 83
2011/07/21 11:23:52 205.128.70.51.53 -> 128.59.176.100.10849 17 1 299


--On Thursday, July 21, 2011 9:09 AM -0600 "Janish, Nathan" <Nathan.Janish at Level3.com> wrote:

> ----------- nsp-security Confidential --------
>
> Hello Everyone,
>
> We are currently experiencing a DoS attack and would appreciate the assistance of anyone who could possibly provide us with some of their netflows.
>
> Destinations that are currently being attacked are,
>
> 192.221.69.45
> 192.221.72.51
> 205.128.90.51
> 4.23.54.51
> 205.128.70.51
> 206.33.57.51
> 199.93.56.51
>
> Thanks in Advance,
>
> Nathan Janish
> Level3 Communications
> Manager, Network Security
> 720.888.3350
> nathan.janish at level3.com<mailto:nathan.janish at level3.com>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>


Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3